XML, to function properly needs to be well-formed. XML which is not well-formed shall fail when parsed by the XML parser on the server side. A parser needs to run therough the entire xml messgae in a serial manner in order to assess the XML well-formedness.

+

−

An XML parser is also very CPU labour intensive Some attack vectors exploit this weakness by sending very large or malformed xml messages.

+

==Brief Summary==

+

XML needs to be well-formed to function properly. XML which is not well-formed shall fail when parsed by the XML parser on the server side. A parser needs to run thorough the entire XML message in a serial manner in order to assess the XML well-formedness.

−

Attackers can create XML documents which are structured in such a way as to create a denial of service attack on the receiving server by tying up memory and CPU resources. This occurs via overloading the XML parser which is very CPU intensive in any case.

+

An XML parser is also very CPU labour intensive. Some attack vectors exploit this weakness by sending very large or malformed XML messages.

−

===Description of the Issue===

+

Testers can create XML documents which are structured in such a way as to create a denial of service attack on the receiving server by tying up memory and CPU resources. This occurs via overloading the XML parser which, as we mentioned, is very CPU-intensive.

−

This section discusses the types of attack vectors one could send to web service in an attempt to assess its reaction to malformed or maliciously crafted messgaes

+

−

''For example'',

+

==Description of the Issue==

−

elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML

+

This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages.

−

(e.g. with overlapping elements,or with open tags that have no matching close tags).

+

−

DOM based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory 9as opposed to SAX parsing) oversized attachments can cause an issue with DOM architectures.

+

−

'''Web Services weakness:''' You have to parse XML via SAX or DOM before one validates the structure and content of the message.

+

For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML

+

(e.g., with overlapping elements, or with open tags that have no matching close tags).

+

DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.

+

'''Web Services weakness:''' You have to parse XML via SAX or DOM before validating the structure and content of the message.

−

===Black Box Testing===

+

==Black Box Testing and example==

'''Examples:'''

'''Examples:'''

Malformed structure:

Malformed structure:

−

The XML message must be well formed inorder to be successfully parsed. Malformed SOAP messages may cause unhandled excpetions to occur;

+

The XML message must be well-formed in order to be successfully parsed. Malformed SOAP messages may cause unhandled exceptions to occur;

<?xml version="1.0" encoding="ISO-8859-1"?>

<?xml version="1.0" encoding="ISO-8859-1"?>

Line 33:

Line 32:

</note>

</note>

−

A web service utilising DOM based parsing can be "upset" by including a very large payload in the XML message which the parser would be obliged to parse:

A web service utilizing DOM based parsing can be "upset" by including a very large payload in the XML message which the parser would be obliged to parse:

'''VERY LARGE & UNEXPECTED PAYLOAD:'''

'''VERY LARGE & UNEXPECTED PAYLOAD:'''

Line 57:

Line 129:

Web Services can also have a binary attachment such as a Blob or exe.

Web Services can also have a binary attachment such as a Blob or exe.

−

Web service attachments are encoded in base64 format since the trend is that DIME (Direct Internet Message Encapsulation) seems to be a dead-end solution.

+

Web service attachments are encoded in base64 format, since the trend is that DIME (Direct Internet Message Encapsulation) seems to be a dead-end solution.

−

By attacking a very large base64 string to the message this may consume parser resources to the point of affecting availability. Additional attacks may include the injection of a infected binary file into the base64 binary stream.

+

By attaching a very large base64 string to the message, a tester may consume parser resources to the point of affecting availability. Additional attacks may include the injection of an infected binary file into the base64 binary stream.

Inadequate parsing of such an attachment may exhaust resources:

Inadequate parsing of such an attachment may exhaust resources:

Line 76:

Line 148:

</Envelope>

</Envelope>

−

===Grey Box Testing===

+

<br>

+

'''WSDigger'''<br>

+

Using this tool we can insert a malicious data into web service method and see the results in the output of WSDigger interface.

+

<br>

+

+

WSDigger contains sample attack plug-ins for:

+

* SQL injection

+

* cross site scripting

+

* XPATH injection attacks

+

+

<br>

+

<center>

+

[[Image:wsdigger_attack.jpg]]

+

<br>

+

</center>

+

+

<br>

+

+

==Grey Box Testing and example==

+

+

If one has access to the schema of the web service, it should be examined. One should assess that all the parameters are being data validated.

+

Restrictions on appropriate values should be implemented in accordance to data validation best practice.

−

If one has access to the schema of the web service it should be examined. One should assess that all the parameters are deing datavalidated.

+

'''enumeration''': Defines a list of acceptable values.

−

Restrictions on appropriate values should be implemeneted in accordance to data validation best practice.

+

−

'''enumeration''': Defines a list of acceptable values

+

'''fractionDigits''': Specifies the maximum number of decimal places allowed.

+

Must be greater than or equal to zero.

−

'''fractionDigits''': Specifies the maximum number of decimal places allowed.

+

'''length''': Specifies the exact number of characters or list items allowed.

−

Must be equal to or greater than zero

+

Must be greater than or equal to zero.

−

'''length''': Specifies the exact number of characters or list items allowed.

+

'''maxExclusive''': Specifies the upper bounds for numeric values

−

Must be equal to or greater than zero

+

(the value must be less than this value).

−

'''maxExclusive''': Specifies the upper bounds for numeric values

+

'''maxInclusive''': Specifies the upper bounds for numeric values

−

(the value must be less than this value)

+

(the value must be less than or equal to this value).

−

'''maxInclusive''': Specifies the upper bounds for numeric values

+

'''maxLength''': Specifies the maximum number of characters or list items allowed.

−

(the value must be less than or equal to this value)

+

Must be greater than or equal to zero.

−

'''maxLength''': Specifies the maximum number of characters or list items allowed.

+

'''minExclusive''': Specifies the lower bounds for numeric values

−

Must be equal to or greater than zero

+

(the value must be greater than this value) .

−

'''minExclusive''': Specifies the lower bounds for numeric values

+

'''minInclusive''': Specifies the lower bounds for numeric values

−

(the value must be greater than this value)

+

(the value must be greater than or equal to this value).

−

'''minInclusive''': Specifies the lower bounds for numeric values

+

'''minLength''': Specifies the minimum number of characters or list items allowed.

−

(the value must be greater than or equal to this value)

+

Must be greater than or equal to zero.

−

'''minLength''': Specifies the minimum number of characters or list items allowed.

+

'''pattern''': Defines the exact sequence of characters that are acceptable.

−

Must be equal to or greater than zero

+

−

'''pattern''': Defines the exact sequence of characters that are acceptable

+

'''totalDigits''': Specifies the exact number of digits allowed. Must be greater than zero.

−

'''totalDigits''': Specifies the exact number of digits allowed. Must be greater than zero.

Brief Summary

XML needs to be well-formed to function properly. XML which is not well-formed shall fail when parsed by the XML parser on the server side. A parser needs to run thorough the entire XML message in a serial manner in order to assess the XML well-formedness.

An XML parser is also very CPU labour intensive. Some attack vectors exploit this weakness by sending very large or malformed XML messages.

Testers can create XML documents which are structured in such a way as to create a denial of service attack on the receiving server by tying up memory and CPU resources. This occurs via overloading the XML parser which, as we mentioned, is very CPU-intensive.

Description of the Issue

This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages.

For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML
(e.g., with overlapping elements, or with open tags that have no matching close tags).
DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.

Web Services weakness: You have to parse XML via SAX or DOM before validating the structure and content of the message.

Black Box Testing and example

Examples:

Malformed structure:
The XML message must be well-formed in order to be successfully parsed. Malformed SOAP messages may cause unhandled exceptions to occur;

Web Services can also have a binary attachment such as a Blob or exe.
Web service attachments are encoded in base64 format, since the trend is that DIME (Direct Internet Message Encapsulation) seems to be a dead-end solution.

By attaching a very large base64 string to the message, a tester may consume parser resources to the point of affecting availability. Additional attacks may include the injection of an infected binary file into the base64 binary stream.
Inadequate parsing of such an attachment may exhaust resources:

WSDigger
Using this tool we can insert a malicious data into web service method and see the results in the output of WSDigger interface.

WSDigger contains sample attack plug-ins for:

SQL injection

cross site scripting

XPATH injection attacks

Grey Box Testing and example

If one has access to the schema of the web service, it should be examined. One should assess that all the parameters are being data validated.
Restrictions on appropriate values should be implemented in accordance to data validation best practice.

enumeration: Defines a list of acceptable values.

fractionDigits: Specifies the maximum number of decimal places allowed.
Must be greater than or equal to zero.

length: Specifies the exact number of characters or list items allowed.
Must be greater than or equal to zero.

maxExclusive: Specifies the upper bounds for numeric values
(the value must be less than this value).

maxInclusive: Specifies the upper bounds for numeric values
(the value must be less than or equal to this value).

maxLength: Specifies the maximum number of characters or list items allowed.
Must be greater than or equal to zero.

minExclusive: Specifies the lower bounds for numeric values
(the value must be greater than this value) .

minInclusive: Specifies the lower bounds for numeric values
(the value must be greater than or equal to this value).

minLength: Specifies the minimum number of characters or list items allowed.
Must be greater than or equal to zero.

pattern: Defines the exact sequence of characters that are acceptable.

totalDigits: Specifies the exact number of digits allowed. Must be greater than zero.